1/* dave@treblig.org */ 2#include <sys/select.h> 3#include <sys/time.h> 4#include <sys/types.h> 5#include <stdlib.h> 6#include <string.h> 7#include <unistd.h> 8 9char buffer[1024*1024*2]; 10 11int main() 12{ 13 fd_set rds; 14 struct timeval timeout; 15 16 FD_ZERO(&rds); 17 FD_SET(2, &rds); 18 /* Start with a nice simple select */ 19 select(3, &rds, &rds, &rds, NULL); 20 21 /* Now the crash case that trinity found, negative nfds 22 * but with a pointer to a large chunk of valid memory. 23 */ 24 FD_ZERO((fd_set*)buffer); 25 FD_SET(2,(fd_set*)buffer); 26 select(-1, (fd_set *)buffer, NULL, NULL, NULL); 27 28 /* Another variant, with nfds exceeding allowed limit. */ 29 timeout.tv_sec = 0; 30 timeout.tv_usec = 100; 31 select(FD_SETSIZE + 1, (fd_set *)buffer, NULL, NULL, &timeout); 32 33 return 0; 34} 35